BlackBerry Cylance Downplays, Patches Antivirus Bypass

BlackBerry Cylance has prepared an update for its CylancePROTECT product to address a recently disclosed bypass method, but the company has downplayed the impact of the issue.

Australia-based cybersecurity firm Skylight reported last week that its researchers had found a way to trick Cylance’s AI-based antivirus engine into classifying malicious files as benign.

They discovered what they described as a universal bypass method that involved taking strings from a certain video game — Cylance products appeared to give special treatment to files associated with this game — and appending them to known malware.

The researchers claimed they had achieved a success rate of over 83% in tests covering 384 malicious files, including hacking tools such as Mimikatz, ProcessHacker and Meterpreter, and malware such as CoinMiner, Dridex, Emotet, Gh0stRAT, Kovter, Nanobot, Qakbot, Trickbot and Zeus.

Skylight disclosed its findings — some details were not made public to prevent abuse — without giving BlackBerry Cylance the chance to release a patch. The vendor immediately launched an investigation and by Sunday it determined that “the issue was not a universal bypass as reported, but rather a technique that allowed for one of the anti-malware components of the product to be bypassed in certain circumstances.”

“Analyzing a file with machine learning is a multi-stage process. During this process a file is first examined by a parser which extracts artifacts from the file known as features. Features can be any aspect of a file which can be interpreted or measured. These features are then passed to a mathematical algorithm for analysis,” the company explained. “This vulnerability allows the manipulation of a specific type of feature analyzed by the algorithm that in limited circumstances will cause the model to reach an incorrect conclusion.”

In response to the issue, BlackBerry Cylance has made some changes that should detect feature manipulation and tampering attempts. An update has already been made to cloud-based systems and a new agent will be rolled out to customer endpoints over the next few days.

SecurityWeek has reached out to Skylight to see if it has any comments on Cylance’s assessment.

Skylight noted that it chose Cylance for practical reasons, but believes other AI-based products are also susceptible to these types of attacks.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.